Ctrl+K

T1006 - Direct Volume Access

T1006 - Direct Volume Access#

Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)

Utilities, such as NinjaCopy, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as vssadmin, wbadmin, and esentutl) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl)

Atomic Tests#

Atomic Test #1 - Read volume boot sector via DOS device path (PowerShell)This test uses PowerShell to open a handle on the drive volume via the \\.\ DOS device path specifier and perform direct access read of the first few bytes of the volume.#

On success, a hex dump of the first 11 bytes of the volume is displayed.

For a NTFS volume, it should correspond to the following sequence (NTFS partition boot sector):

           00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000   EB 52 90 4E 54 46 53 20 20 20 20                 ëR?NTFS
```**Supported Platforms:** windows
Elevation Required (e.g. root or admin)#### Attack Commands: Run with `powershell`
```powershell
$buffer = New-Object byte[] 11
$handle = New-Object IO.FileStream "\\.\C:", 'Open', 'Read', 'ReadWrite'
$handle.Read($buffer, 0, $buffer.Length)
$handle.Close()
Format-Hex -InputObject $buffer

Invoke-AtomicTest T1006 -TestNumbers 1

Detection#

Monitor handle opens on drive volumes that are made by processes to determine when they may directly access logical drives. (Citation: Github PowerSploit Ninjacopy)

Monitor processes and command-line arguments for actions that could be taken to copy files from the logical drive and evade common file system protections. Since this technique may also be used through PowerShell, additional logging of PowerShell scripts is recommended.

Shield Active Defense#

Software Manipulation#

Make changes to a system’s software properties and functions to achieve a desired effect.

Software Manipulation allows a defender to alter or replace elements of the operating system, file system, or any other software installed and executed on a system.

Opportunity#

There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access.

Use Case#

A defender can use API calls associated with direct volume access to either see what activity and data is being passed through, or to influence how that API call functions.

Procedures#

Hook the Win32 Sleep() function so that it always performs a Sleep(1) instead of the intended duration. This can increase the speed at which dynamic analysis can be performed when a normal malicious file sleeps for long periods before attempting additional capabilities. Hook the Win32 NetUserChangePassword() and modify it such that the new password is different from the one provided. The data passed into the function is encrypted along with the modified new password, then logged so a defender can get alerted about the change as well as decrypt the new password for use. Alter the output of an adversary’s profiling commands to make newly-built systems look like the operating system was installed months earlier. Alter the output of adversary recon commands to not show important assets, such as a file server containing sensitive data.

Contents